Spyware Stoppers

Mary LandesmanPC World magazine

Not long ago, Web- and e-mail-borne viruses were a computer user's worst enemy. Though viruses and worms still cause more damage in compromised or lost data, a newer menace, popularly known as spyware, steals users' productivity and peace of mind. The "spyware" label can apply to legitimate but annoying programs that users consent (perhaps unwittingly) to have installed on their PCs, or it can describe programs that install themselves without permission. Both types of applications can drain your computer's resources, slow your Internet connection, spy on your surfing, and even forcibly redirect your Web browser. For the purposes of this story, we'll call the former category adware and the latter spyware. Adware clearly spells out its intent, comes with an uninstaller, and can be readily removed from a system. Spyware, in contrast, installs itself surreptitiously and can be nearly impossible to remove without assistance.

A crop of anti-spyware programs has sprung up to provide that assistance. We evaluated ten current anti-spyware utilities designed to detect and remove spyware and adware from PCs, looking at their rates of detection, scanning speed, ability to prevent unwanted applications from installing themselves, and ease of use. We were pleased to find that a couple of the programs did a very effective job of cleaning an infected system and preventing new infestations with effective real-time protection.

PC World tested seven products in the $20 to $40 range from big and small vendors: Allume Systems' (formerly Aladdin Systems') Internet Cleanup, Aluria Software's Spyware Eliminator, Computer Associates' ETrust PestPatrol Anti-Spyware, InterMute's SpySubtract Pro, McAfee's AntiSpyware, Sunbelt Software's CounterSpy, and Webroot Software's Spy Sweeper. In addition, we tested two popular free programs--Lavasoft's Ad-Aware SE Personal and Safer Networking's Spybot Search & Destroy--and a third free program that operates very differently but no less effectively, Merijn.org's HijackThis. We did not include HijackThis in our charts because, unlike the others, it does not scan for infections. We also tested one product in beta, Microsoft's new Windows AntiSpyware, which was until late last year Giant Software's AntiSpyware.

We pitted the anti-spyware utilities against 45 adware and spyware programs we've frequently run into in our work. These 45 applications created 81 separate files and processes--which proved a challenge for our apps to remove completely. Spyware infections can begin with a single installation of advertising-supported software. Often, the adware alerts the user to its intentions and the user willingly makes the trade-off in exchange for access to the free program (or blithely clicks the agreement without reading it). But although many adware programs seek your approval prior to installation, not all are so obliging. And even the free application that promises only limited advertising can morph into a system full of spyware by downloading and installing third-party applications.

Adware varies considerably in how it gets on your system. Two common search toolbars we encountered, Slotchbar and WinTools, did not show an End User License Agreement (EULA), in which adware typically declares that it may install additional components. These two installed without our consent and proved the most difficult to remove, using multiple processes that reinitiated one another when anything tried to delete them.

We first tested how effectively a program could remove the spyware's active components; we then looked at each app's real-time protection, for preventing the installations in the first place.

Sunbelt Software's CounterSpy proved the most capable of the bunch, finding and stopping 93 percent of all the running processes created by our 45 test programs. CounterSpy was the only product in our tests that was able to shut down and remove the tenacious WinTools from our system. Webroot Software's Spy Sweeper came in a close second, clearing 89 percent of the active processes (but leaving behind elements associated with both WinTools and Slotchbar). The least effective were McAfee's AntiSpyware and Allume Systems' Internet Cleanup, at a removal rate of 33 percent and 11 percent, respectively.

Spyware often hijacks the user's browser home page and search pages so that attempts to access or search the Internet are redirected to pornography and other unwanted Web sites. What's worse, reversing the automatic redirections can be hard when they're being monitored and restored by active processes. Browser home- and search-page modifications proved quite difficult for these utilities to fix. Internet Cleanup, McAfee AntiSpyware, Computer Associates' ETrust PestPatrol Anti-Spyware, and InterMute's SpySubtract Pro failed to detect any of these changes, and Aluria Software's Spyware Eliminator fixed only 7 percent. CounterSpy once again led the way--but with just a 53 percent success rate.

Browser Helper Objects, or BHOs, are programs that customize Internet Explorer and other browsers, usually for legitimate reasons. The Google Toolbar, for example, is a BHO. But spyware and adware developers also use BHOs to write toolbar components that load with Internet Explorer, and they exploit ActiveX controls to download and install BHOs to your PC. It's an easy way for miscreants to create often unwanted toolbars that escape the notice of permission-based firewalls and gain access to the Internet.

Windows Registry run keys and system startup folders are also favorite launching pads for adware and spyware. Items added to these critical areas will launch each time Windows starts. Unfortunately, the anti-spyware scanners produced less-than-stellar results in this category. CounterSpy detected the most at 86 percent, followed by Spy Sweeper at 82 percent and Ad-Aware at 77 percent. Internet Cleanup found only 5 percent.

We also tested the scanners' detection of additions to a browser's menus. Such changes do not automatically load spyware, but if a user selects the added menu item, an infection can start. CounterSpy and Spy Sweeper had 100 percent detection rates for these buttons and menu items. SpySubtract Pro and Ad-Aware managed to detect 75 percent. Internet Cleanup, ETrust PestPatrol, and McAfee AntiSpyware each had a hit rate of zero in this category.

Cleaning Up the Mess

Our tests challenged the anti-spyware utilities with 45 adware and spyware programs that created a total of 81 infections in different forms. Sunbelt's CounterSpy and Webroot's Spy Sweeper fixed 85 percent and 81 percent, respectively, giving them a comfortable lead over the rest of the field. Allume's Internet Cleanup, on the other hand, detected only 5 percent of infections.

Another Road to Success

The tenth program in our tests, Merijn.org's HijackThis, is not a traditional scanner. HijackThis provides a report of all active processes, startup Registry keys, Startup folder contents, BHOs, and services found on the system. With this program's log, you can locate suspicious or unwanted startup items and remove them. Though identifying the suspicious entries in the log requires an experienced and confident user, the program is easy enough for even a novice to run. Less-experienced users can post their logs to various forums on the Internet for assistance in identifying undesirable processes. (For guidance on using HijackThis, see "Kill Really Stubborn Spyware With This Tool" by PC World's privacy columnist, Andrew Brandt.)

We used HijackThis along with the Add or Remove Programs feature in Windows XP's Control Panel. We were surprised to find that nearly all of the 45 adware/spyware apps on our infected system had a corresponding uninstaller in Add or Remove Programs. (To use these uninstallers effectively requires that you know which programs they belong to; it's not always easy to tell.) By using the uninstallers and following up with HijackThis--which identified and deleted active components not removed by the uninstallers--we obtained our best score yet, killing off 100 percent of all active components of the adware and spyware infecting our machine. We obtained the same result when we followed a CounterSpy scan with HijackThis. No other combination gave us 100 percent--the WinTools processes that the other scanners left in place thwarted our cleanup efforts, and HijackThis was unable to stop the processes on its own.

By the Numbers

We saw a significant difference among scan speeds. The most effective scanner--CounterSpy--was also the fastest, taking only a minute to perform a complete scan of a system with 2.7GB of data. Also fast were Spybot and Spy Sweeper, which scanned our test system in just over 2 minutes. Conversely, Spyware Eliminator was inconsistent and slowest at scanning, taking anywhere from 10 minutes to an hour (we performed multiple scans). The remainder of the scanners took between 4 and 5 minutes.

The spyware scanners reported infections very differently, too. For example, when we installed the WhenUSearch toolbar on our system, CounterSpy saw it as two separate adware objects, WhenUSearch and SaveNow. Ad-Aware, in contrast, detected the same toolbar as a total of 73 objects. And after we allowed CounterSpy to remove all active components of WhenUSearch, Ad-Aware continued to report 5 "critical" objects--these turned out to be 3 empty Registry keys and 2 empty folders. Such alerts can be unnecessarily alarming, and can cause the spyware problem to seem more severe than it is.

Real-Time Monitoring

The ability to remove spyware threats after a machine is infected is vital, but preventing an infection in the first place is even more desirable. One of the most effective tools in this respect was Spybot. Using the included add-on Resident TeaTimer, the utility warned us when any program attempted to make changes to critical areas of the system Registry. Even the spyware processes that were able to load themselves into memory were prevented from changing the Registry and thus were quickly squashed with a simple reboot of the system.

Spybot also includes a feature to protect the Hosts file from modification. The Hosts file provides a sort of road map for the browser; each entry consists of a Web site address and the corresponding IP address to which it is to be redirected. Malicious software creators frequently exploit the file to prevent users from visiting security-oriented pages such as those on antivirus companies' sites.

CounterSpy and Spy Sweeper also blocked attempts to modify the Hosts file, stopped edits to the system Registry, prevented our browser home page and search pages from being changed, and detected suspicious processes in memory.

Ad-Aware SE Personal does not include real-time protection, although you can set it to block edits to the Hosts file. The paid versions of Ad-Aware--SE Plus and SE Professional ($27 and $40, respectively)--include Ad-Watch, which has features similar to CounterSpy's and Spy Sweeper's. ETrust PestPatrol Anti-Spyware was able to detect suspicious processes in memory, but it failed to alert us when changes were made to critical system settings. SpySubtract Pro warned us when changes were made to our browser home and search pages, and it detected suspicious processes in memory. McAfee AntiSpyware includes real-time protection, but its low recognition rates diminished its effectiveness.

Neither Spyware Eliminator nor Internet Cleanup provided much in the way of real-time protection. Spyware Eliminator only blacklisted suspect Web sites and ActiveX controls, though this unique blacklist of offending sites and controls is a very nice feature. Like Spyware Eliminator, Internet Cleanup ignored home-page and search-page changes, failed to detect suspicious processes, and lacked Hosts file protection. It did, however, block pop-ups and provide a personal-information blocker to prevent inadvertent disclosure of sensitive data.

Ease of Use

CounterSpy's interface is attractive and simple to use. The Scan Now button appears prominently on the welcome screen, menus are easy to traverse, and shutting down the program does not result in a loss of real-time protection. Ad-Aware's interface is equally attractive, but the program's menus are hidden behind unlabeled icons and require a bit of guesswork to find. Spybot requires the user to first switch to Advanced mode and then sort through various categories to find the most useful settings and tools options. Both Ad-Aware and CounterSpy provided reports that were easy to understand, but Ad-Aware listed a few cookies as "critical" objects--giving the impression that some benign cookies are a high-risk threat.

HijackThis's simple text-based interface presents options well, and the program is exceptionally easy to use--though the results it reports may require an advanced user to decipher.

Spyware Eliminator provides a clean interface with clear menus, but the tool was slow to load. We found Internet Cleanup's interface cluttered and difficult to use. The menus were context-sensitive--they changed depending on the section we were in; and inconveniently, our only recourse when we got in too deep was to click the Home button and start over.

Though easy to navigate, ETrust PestPatrol Anti-Spyware's interface appeared barren and unattractive. It was also a tad confusing initially: The Enter License Key button was the most prominent feature on the welcome screen. Only by reading the fine print were we assured that we had properly registered our copy.

Spy Sweeper's interface was intuitive, but we could not close the main program without also closing real-time protection. As a result, we endured numerous prompts asking if we really wanted to shut down protection or simply minimize the program. At the other extreme, McAfee AntiSpyware installed the McAfee Security Center icon in our system tray, but the Security Center gave no options for--or access to--the anti-spyware component.

Our PicksYou can get an anti-spyware utility for free, but this is one area where going cheap isn't worth the savings. The no-cost Spybot Search & Destroy offers an overall detection rate of 54 percent and provides effective real-time scanning. Keeping on the free path, you could combine Spybot with Ad-Aware SE Personal, whose detection rate for active infections was slightly higher than Spybot's in most categories. However, even when combining Ad-Aware, Spybot, and the free HijackThis, we were unable to remove 100 percent of the infections on our test system.

Sunbelt Software's CounterSpy, our new Best Buy, proved the most capable of the products we tested, with the highest detection rates, cleanest interface, and fastest scan speeds. And its $20 price for a year of updates and tech support is a bargain. You also won't be disappointed by Webroot's Spy Sweeper, which was almost as effective as CounterSpy, scans quickly, and is easy to use. Combining either product with HijackThis--and reasonable caution when installing dubious goodies--you should be able to keep your system pretty well spyware-free.

Beta Update: Future Windows AntiSpyware Looks Like a Winner

As we were completing testing for this story, Microsoft released a beta version of its new Windows AntiSpyware, the product formerly owned by Giant Software, which Microsoft acquired in December 2004. The beta turned in excellent results in our tests. Because its signature files were more up-to-date than those in the rest of the products, we didn't compare it directly with the others in this roundup; nonetheless, AntiSpyware looks like it will be a top-notch product when it's ready for shipping.

It was able to detect 91 percent of the adware/spyware in our test suite, including 96 percent of processes running in memory, 67 percent of home- or search-page modifications, 100 percent of BHOs and toolbars, 95 percent of Registry additions, and 100 percent of other items such as menus and buttons added to programs. The utility scanned our 2.7GB of data in less than 3 minutes. AntiSpyware's real-time monitoring stops infections by preventing changes to the browser home and search pages, identifying unknown processes in memory, blocking unauthorized edits to the Hosts file, and preventing changes to Registry run keys.

To counter browser home- and search-page hijackers, AntiSpyware can automatically reset the pages to the operating system defaults. You can also specify custom home and search pages by selecting Advanced Tools, Browser Hijack Restore. AntiSpyware will alert you to any attempts to change the designated pages from the custom or default settings. This is a better way to handle hijackers than the similar scheme of Webroot's Spy Sweeper, which restores the pages to the settings that were in place when Spy Sweeper was first installed. Read more on AntiSpyware.

Windows AntiSpyware boasts a clean, intuitive interface that is nearly identical in features and layout to that of Sunbelt Software's CounterSpy--an application that also makes use of Giant Software's spyware-signature technology. Unlike CounterSpy, AntiSpyware automatically ignores cookies as it scans--a refreshing change for those users who appreciate the automatic log-ins and site personalization features that cookies can provide.

Protect Yourself Against Spyware: Change or Update Your BrowseYou can protect yourself from much spyware by switching from Internet Explorer to a different browser, such as Mozilla Firefox. Still, even alternative browsers have security vulnerabilities that can lead to trouble. And you'll face hassles with the few Web sites that don't function properly with browsers other than IE.

For people who don't want to switch, IE version 6 and later has default security settings to better protect against spyware. (For more on security settings in IE, visit Browser Security.) Upgrading to the latest version, keeping your PC patched (windowsupdate.microsoft.com), and being careful about installing unknown software will help avoid spyware.

At the PC World Spyware Help Center, you can research programs before you install them. For those you do choose to install, make sure you carefully read and understand the implications of the End User Licensing Agreement; it may warn you that it will load other programs. Finally, if you end up with spyware on your system, try the easy route first: Check the Windows Add or Remove Programs list to see if an uninstaller is provided.

Glossary

Confused by BHOs and Hosts? Here's a primer on important terms in anti-spyware lingo.

Adware --PC World defines adware as advertising-supported software that plays by the rules, no matter how obnoxious you might think it. Adware displays a prominent End User Licensing Agreement (EULA) during the install, does not install any other applications without explicitly asking the user's permission, and provides an effective uninstaller in Windows Add or Remove Programs section.

BHO --Browser Helper Objects are small programs used to customize Internet Explorer. Spyware and adware developers often use Browser Helper Objects to write components that load with Internet Explorer each time it starts.

Cookies --Small text files placed on the user's system when visiting a particular Web site. Cookies can be used to locally store log-in or preference information to help personalize or enhance the user's experience. Most browsers provide a means to block cookies; however, many Web sites will not function properly if cookies are not allowed.

Hijacker --Changes to the system that cause users to be forcibly redirected to Web sites other than those they have specified. A hijacker is often used to redirect users to pornography sites.

Hosts file --A text file that correlates Web site names to specific IP addresses. Entries in the Hosts file will override remote DNS queries typically handled by the ISP. Modifications to the Hosts file can force the user to visit a site other than the one expected or can be used to prevent access to a specified site.

Processes --Any executable programs that use CPU time, memory, or other resources.

Registry --A database of settings used by Windows that control hardware, software, and user preferences. Modifications to the Registry can allow unwanted programs to load, prevent wanted programs from loading properly, or change the user's browser preferences.

Spyware --Software that is surreptitiously installed on the user's system to monitor the user's Internet activities and that often displays advertising based on that monitoring.